BitLab BitLab
Informatics Ltd. Magyar   English  
Use secure page to log on.  
 BitLab.hu
News
Homepage
Address
 TRFTP
About
Download
Install
 Projects
DataPort
TRFTP

Installing an running

  1. Download
    You can download it from here.
  2. Unpack
    Use the tar zxf trftp.tar.gz command to unpack the sources.
  3. Compile
    Use make to compile the source files. If everything goes well, you will end up with an executeable file called trftp.
  4. Install
    Copy to the firewall (hope you did not compile it on the firewall itself!). The preferred location is /usr/local/sbin, but you can copy it into eny other location as well. Configure inetd or xinetd.

    My xinetd config file looks like this:

    # default: on
# description: Transparent ftp proxy daemon
service trftp
{
        type            = UNLISTED
        protocol        = tcp
        port            = 99
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/local/bin/trftp
        log_on_failure  += USERID
        disable         = no
}

    Don't forget to reload the inetd/xinetd!
  5. Configure iptables
    My rules look like this: 
    iptables -A OUTPUT -i lo --dport 21 -j REJECT
iptables -A OUTPUT -i lo --dport 99 -j REJECT
# control
iptables -t nat -A PREROUTING -p tcp --sport 1024: --dport 21 -J REDIRECT --to-ports 99
iptables -A INPUT -p tcp -i eth0 --sport 1024: --dport 99 -j ACCEPT
iptables -A OUTPUT -p tcp ! --syn -o eth0 --sport 99 --dport 1024: -j ACCEPT
iptables -A OUTPUT -p tcp -o eth1 --sport 1024: --dport 21 -j ACCEPT
iptables -A INPUT -p tcp ! --syn --sport 21 --dport 1024: -j ACCEPT
# data - active mode
iptables -A OUTPUT -p tcp -o eth0 --sport 20 --dport 1024: -j ACCEPT
iptables -A INPUT -p tcp ! --syn -i eth0 --sport 1024: --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 --sport 20 --dport 1024: -j ACCEPT
iptbales -A OUTPUT -p tcp ! --syn -o eth1 --sport 1024: --dport 20 -j ACCEPT
# data - passive mode
iptables -A INPUT -p tcp -i eth0 --sport 1024: --dport 1024: -j ACCEPT
iptables -A OUTPUT -p tcp ! --syn -o eth0 --sport 1024: --dport 1024: -j ACCEPT
iptables -A OUPUT -p tcp -o eth1 --sport 1024: --dport 1024: -j ACCEPT
iptables -A INPUT -p tcp ! --syn -i eth0 --sport 1024: --dport 1024: -j ACCEPT
    If you have no idea what it is, than you shouldn't do this.
  6. Try it
    At this point it should work and forward your ftp requests. As it is a transparent proxy no configuration required on the client side.